Date: Thu, 28 Mar 2002 05:13:04 +0000 From: Alex Holst <a@area51.dk> To: security@freebsd.org Subject: Re: sudo.. a better way maybe? Message-ID: <20020328051304.GA63631@area51.dk> In-Reply-To: <20020327123320.T82300@switchblade.cyberpunkz.org> References: <20020327123320.T82300@switchblade.cyberpunkz.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Rob Andrews (rob@cyberpunkz.org): > Sudo is safe provided that a users password and account are not compromised > by an outside forced intrusion. However. In the event that someone does > gain access to a user account which does have sudo permission on the machine > (This happened during a period where there was an openssh bug which allowed > users on another system to gain passwords being used by other system users > which were logging into remote system via the hacked system) it would be > a simple thing to just sudo with the users current password which they > already have in hand. This sounds like a policy question. First, if you are running vulnerable or trojaned software, all bets are off anyway. Install a file integrity checker. Second, most users wouldn't need blanket sudo access. Staff *might* need blanket sudo access. If you are so worried about compromised accounts, why are you using password-based authentication for logins and sudo access in the first place? Get a two factor authentication solution. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020328051304.GA63631>